The password manager LastPass has begun the new year with a new security resolution: a 12-character minimum for master passwords.
While the requirement increases account security, experts who spoke with IT Brew also emphasized the importance of introducing stronger measures like multi-factor authentication (MFA).
“There needs to be something more than the password just to get into your password manager,” Dan Conrad, Active Directory security and management team lead at One Identity, told IT Brew. “If you’ve got a password manager, and it just requires a 25-character string to get in, with no multi-factor, I wouldn’t endorse it at all.”
In addition to a mandatory 12-character-minimum password (that features at least one uppercase, lowercase, or special character), LastPass also used its Jan. 2 post to announce that it is “prompting customers to re-enroll their multi-factor authentication.”
LastPass does not require customers to enroll in MFA, but the company strongly recommends its use. “Enabling MFA adds an extra layer of security by requiring another form of verification beyond the master password,” Elizabeth Bassler, director of corporate communications at the password manager, wrote to IT Brew in an email.
No getting around it. The 12-character minimum has been LastPass’s default setting since 2018, said the company in its post, but customers until now “still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so.”
Verizon’s most recent data breach investigations report, released in June 2023, saw credential compromise as a leading vector in data breaches, featuring in 44.7% of the cyber incidents studied between November 1, 2021 and October 31, 2022.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
And the compromise of a password-manager master password potentially compromises all accounts held in the tool.
In late 2022, following an admission that a threat actor was “able to copy a backup of customer vault data,” LastPass also stated: “The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”
LastPass’s action to protect against password-guessing brutes is a step in the right direction, said Johannes Ullrich, dean of research at SANS Institute.
“The problem is it’s still only a user-defined password,” Ullrich told IT Brew.
Ullrich noted at least one competitor—1Password—enforces an additional factor: a randomly generated security key that’s required in addition to the user’s password to encrypt password vaults.
“If they don’t do this, then if you have a weak password, your password will be brute-forced,” said Ullrich.
While password managers, generally, allow users to only have to remember a single password, does that mean password managers have a single point of failure?
Not if the password manager incorporates multi-factor authentication, said Rob Clyde, past board chair at ISACA and chairman and board director at the IoT security company Crypto Quantique.
“If I have MFA enabled, you’re going to have to have both factors to get in,” said Clyde.
Conrad, a LastPass customer, connects authenticator apps with the password manager.
“There really needs to be multi-factor tied to it,” Conrad told IT Brew.